Cash Value of Android Zero-Day Exploits Surpasses iOS

Cash Value of Android Zero-Day Exploits Surpasses iOS

Apple has long positioned itself as the more secure option to open platforms like Windows and Android, but that might no longer be the case. As previously unreported “zero-day” iOS exploits pile up, security researchers are seeing the cash value of such research fall. Zerodium, the largest purchaser of such flaws, has updated its bug bounty payments. Android exploits now command a maximum of $2.5 million, but iOS tops out at $2 million.

Last month, we reported on a series of iOS exploits uncovered by Google’s Project Zero. Google isn’t in the business of selling exploits, so it researched the scheme and reported it to Apple in a responsible manner. Google detected websites using multiple attack chains to steal data from almost all versions of iOS, and they were operating for at least two years.

Apple rolled out an update to iDevices that blocked those exploits, but you have to wonder how many more unreported attacks are floating around out there. The perpetrators of this hack weren’t even treating the exploits like a valuable commodity. They were hacking iPhone users indiscriminately when they could have been using targeted attacks against high-value targets. They might never have been caught going that route.

Apple talks up iPhone security, but Zerodium says it’s falling behind.
Apple talks up iPhone security, but Zerodium says it’s falling behind.

Zerodium buys exploits for big money so it can exclusively report the research and mitigation measures to its corporate and government clients. Zerodium founder and CEO Chaouki Bekrar says that the company still gets ample submissions for iOS exploits, mostly connected to Safari and iMessage. There are so many that the company has started turning down some offers from researchers. On the other hand, functional zero-click or one-click exploits for Android are increasingly rare, especially for versions 8.0 and later.

Given the state of the major operating systems, Zerodium decided it makes sense to assign a higher value to Android exploits. Zerodium doesn’t pay $2.5 million for just any Android hack, though. Researchers have to submit basic details of the hack first, and then wait on an offer from Zerodium. The $2.5 million top offer only applies to serious flaws in Android 8, 9, or 10. Apple’s lower $2 million maximum bounty is still nothing to sneeze at — serious exploits for desktop systems top out at $1 million. Since mobile platforms were built more recently, they have more security features integrated at a low level. That makes them harder to hack than desktop operating systems.

Continue reading

Linus Tovalds Blames Intel for Killing ECC RAM in Consumer Systems
Linus Tovalds Blames Intel for Killing ECC RAM in Consumer Systems

Intel stripped ECC RAM support off its consumer products over a decade ago, and Linus Torvalds is still unhappy about it.

Epic’s New MetaHuman Creator Generates Digital Characters that Avoid the Uncanny Valley
Epic’s New MetaHuman Creator Generates Digital Characters that Avoid the Uncanny Valley

The company's new MetaHuman engine promises to deliver photorealistic digital characters in a snap, and you can check out a demo right now.

Archaeologists Discover Lost Egyptian City Said to Rival Pompeii
Archaeologists Discover Lost Egyptian City Said to Rival Pompeii

Egyptian archaeologists have found a lost city in Egypt near the Valley of the Kings. The Rise of Aten is said to rival Pompeii in terms of completeness and preservation and could tell us far more than we know now about Egyptian culture and society circa 1330 BCE.

Windows 10 Will Make Flash Removal Mandatory This Summer
Windows 10 Will Make Flash Removal Mandatory This Summer

Flash has been phased out in most ways that matter, but there's one more nail being pounded into Flash's coffin, courtesy of Microsoft. Soon, Windows 10 will make Flash removal mandatory.